Is the external attack surface of your organisation putting you at risk?
By Maurits Mulders, Cybersecurity Engineer at Thales Netherlands
According to a recent survey conducted by Enterprise Strategy Group & Randori, only 26% of organizations perform continuous attack surface management. And yet, according to the same survey, 76% of organisations experience some type of cyberattack due to an unmanaged attack surface containing unknown and/or unmanaged assets. These numbers raise an important question: are you aware of the external attack surface of your organization? Do you know how to identify and map/classify your external attack surface? And perhaps most importantly: how to keep it up to date? No worries – we will explain the basics in this blog!
What is an external attack surface?
Let’s break it down, starting with the definition. The external attack surface is the sum of all internet facing systems, applications and servers that could potentially be exploited during a cyberattack. For an organisation, this could be a large surface area. That surface area starts with the more accessible e-mail and file servers, but then there is also the more complex IOT systems and other company specific systems that are needed for your day to day business. Don’t forget to think about your company issued telephone or laptop. How can you map all this? What is the right methodology?
How can you identify your external attack surface?
To map your external attack surface, you have to know what assets are part of your organisation, and which of these assets are freely exposed to the internet. The following methodology is advised: start with the known. List familiar things such as domain names, sub domains, e-mail servers, CMDB (Configuration Management Database) and IP ranges. Then go into the unknown.
Probably the hardest to map, because how do you know about your so-called shadow IT? One possibility is to look at the data flows that go the outside of your network. Other suitable options are to perform internal and external scans, or to start crawlers over your IP ranges to identify all external facing api’s and web applications.
Interview your teams
To complete the above investigation, don’t forget to interview your developers and users of the systems. As they are more familiar with those systems, they probably have some valuable information you might not have thought about. Once all your assets are discovered and identified, you can start classifying your external attack surface.
Your list of external assets could go into the hundreds, maybe thousands, after you have identified all of them. Therefore, it could help to classify them into categories, on which you can act accordingly. You could classify them based on function, design and technology. Examples of these categories could be: login/ authentication forms, admin pages, API, data entry forms etc.
So you’ve got your external attack surface assets identified… Now what?
Once all your assets are classified accordingly, it is helpful to describe to your categories by defining what type of vulnerabilities could occur within that category. This will help to identify the newest vulnerabilities more quickly, and will raise awareness about the risks involved. To enrich your categories, it is advised to also add the impact and the loss of data in case of a breach within each category.
Updating is key
It sounds like you are talking with a security engineer if you hear the term ‘updating is key’, but in this context we mean that you should keep your external attack surface updated. Create a methodology that is executed every month, or buy a service from a company who does it automatically for you. The options are unlimited, so choose whatever you like, as long as you keep it up to date!
I hope that this blog gave you some new insights on how to map your attack surface, how important it is to map the attack surface. Once you build your own methodology, you will be surprised about what possibilities companies accidentally give to adversaries that may want to attack your organization. Please don’t open up the doors of the external attack surface of your organization for the public, but instead treat it like a fortress – a stronghold to protect your company!
We can help you, contact one of our experts in the Netherlands.
Interested to be part of our cyber team in the Netherlands? Check our positions.
